Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 1.1.3 Ensure that between two and four global admins are designated

Description

Between two and four global administrators should be designated in the tenant. Ideally, these accounts will not have licenses assigned to them which supports additional controls found in this benchmark.

If there is only one global administrator, they could perform malicious activities without being detected by another admin. Designating multiple global administrators eliminates this risk and ensures redundancy if the sole remaining global administrator leaves the organization.

However, to minimize the attack surface, there should be no more than four global admins set for any tenant. A large number of global admins increases the likelihood of a successful account breach by an external attacker.

Remediation

To remediate using the UI:

  1. Navigate to the Microsoft 365 admin center https://admin.microsoft.com.
  2. Select Users > Active Users.
  3. In the Search field enter the name of the user to be made a Global Administrator.
  4. To create a new Global Admin:
    1. Select the user's name.
    2. A window will appear to the right.
    3. Select Manage roles.
    4. Select Admin center access.
    5. Check Global Administrator.
    6. Click Save changes.
  5. To remove Global Admins:
    1. Select User.
    2. Under Roles select Manage roles.
    3. Deselect Global Administrator.
    4. Click Save changes.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v500_1_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v500_1_1_3 --share

SQL

This control uses a named query:

with global_administrator_counts as (
  select
    role.tenant_id,
    role._ctx,
    count(*)
  from
    azuread_directory_role as role,
    jsonb_array_elements_text(member_ids) as m_id,
    azuread_user as u
  where
    u.id = m_id and role.display_name ='Global Administrator'
  group by
    role.tenant_id,
    role._ctx
)
select
  tenant_id as resource,
  case
    when count >= 2 and count <= 4 then 'ok'
    else 'alarm'
  end as status,
  tenant_id || ' has ' || count || ' global administrators.' as reason
  , tenant_id as tenant_id
from
  global_administrator_counts;

Tags

category = Compliance
cis = true
cis_item_id = 1.1.3
cis_level = 1
cis_section_id = 1.1
cis_type = automated
cis_version = v5.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Azure/ActiveDirectory